Chapter 11
Developing Software for the Xbox
While the focus of this book is educating readers in the ways of hardware hacking and security, one ultimate goal of Xbox hacking is to run homebrew software. This chapter is devoted to describing some of the homebrew software projects in progress for the Xbox at the time of this writing.
Xbox-Linux
The goal of the Xbox-Linux project is to create a user-friendly and legal port of GNU/Linux and of GNU/Linux applications to the Xbox hardware platform. Thanks to the dedication and contributions of hackers around the globe, the Xbox-Linux project has had a great deal of success toward meeting its goals. A picture of the core Xbox-Linux project team can be seen in Figure 11-1, and the sidebars in this chapter and in Chapter 9 contain interviews with Xbox-Linux project team members. (The homepage for the Xbox-Linux project is http://xbox-linux.sourceforge.net.) Significantly, the Xbox-Linux project and its principle hackers are not anti-Microsoft. They are pro-“freedom to tinker,” and not puerile Microsoft-haters; they have an agenda that touches upon preserving the very freedoms of thought and speech that brought technology to where it is today.
Xbox-Linux is not the ultimate software project for the Xbox; on the contrary, it is just the beginning of Xbox software hacking. Porting the familiar GNU/Linux development environment to the Xbox enables a larger base of software hackers to join the Xbox hacking project. With GNU/Linux, the Xbox can run a wide variety of application software, from free open-source video games to word processing applications to clustering software for building Beowulf-style computer clusters.
Installing Xbox-Linux
Currently, in order to run Xbox-Linux, you need to install a GNU/Linux boot ROM using an alternate firmware device. This requires opening up the Xbox. Chapter 10 describes methods for building and installing an alternate firmware device for the Xbox via the LPC interface. Several vendors now offer easy-to-install LPC interface alternative firmware devices. Notably, the Xodus/Matrix device is the first alternative firmware device on the market with an entirely solderless installation procedure. All the tools you need to install the Xodus/Matrix device are described in Chapter 1, “Voiding the Warranty,” and the Xodus/Matrix device itself comes with some easy-to-follow instructions on how to program and use the alternate firmware device.
Profile: Michael Steil
Michael, can you tell us a little bit more about yourself?
Born in 1979 in Erding/Germany, I’m a student of computer science at the Technische Universität München. I teach Assembly to students in the first semester, and I plan to have a MA degree next year. I have been working with computers since I was ten years old; my first computer was a Commodore 64, followed soon by a 386 PC. My main interests were always hardware and operating systems, and I was especially fascinated by the diversity of hardware architectures (Commodore, PC, Amiga, Macintosh, . . .) as well as popular embedded systems, such as gaming consoles. (Did you know the “SEGA CD” has three CPUs, one Z80 and two M68000?). That’s why I bought many video game systems for experimentation, such as the Nintendo SNES, the SEGA Genesis, and the Nintendo Game Boy. I also had a look at Linux for the SEGA Dreamcast, but I have never seen Linux for the Sony Playstation 2, since the whole set was really too expensive for me, both for experimentation and for real use.
How did you get into Xbox hacking, and in particular, the Xbox-Linux project?
On April 30th 2002, I bought an Xbox, convinced that it would be a great toy for hacking, and well-suited for Linux. After looking at the system software for an hour or two (I bought no game), I unscrewed the Xbox. Looking for information about hacking the box disappointed me at first: I didn’t find much more than how to connect the hard disk to a PC, and a site about Xbox Linux with virtually no information on it. So I decided to start my own Xbox hacking site and put information on it that I found out by connecting the hard disk to a PC.
Xboxhacker.net and the original Xbox Linux mailing list were a great help; they both attracted excellent hackers and published valuable information. Dissatisfied with the original infrastructure of the Xbox Linux Project, I decided to move to Sourceforge on May 23rd. Now every contributor could add anything to the website without having to go through the maintainer. But at that time, everything was still quite theoretical: Without the advent of modchips we couldn’t do much more than write code that “should theoretically work.” Andy Green’s Filtror accelerated everything: This mod made it possible to finish the bootloader and, with Milosch Meriac’s help, adapt the Linux kernel within a very short time.
The “anonymous donor” approaching me in June did not only lead to additional publicity of the project and therefore to even more contributors, but also to a personal friendship of mine: Walter Meyer, creator of the BioXX (OpenXbox) modchip happens to live only 20 kilometers away from my place. Among other things, he helped me a lot with modding my boxes, since I’m not really a soldering iron person.
With Linux already running on the Xbox, in December 2002 the Xbox Linux core team (Andy Green, Milosch Meriac, Franz Lehner, and me; Edgar Hucek unfortunately couldn’t come) met in person for the first time at the Chaos Com- puter Club Congress in Berlin.
My original motivation for everything was just that it’s fun and I could learn a lot by doing it. I didn’t start it because I wanted to harm Microsoft — still, I agree that Microsoft harms their customers by not letting them use the software they want to use on the hardware they bought, and that’s why the Xbox Linux Project is especially important.
[We’re] not “Anti-MS” or “MS-haters.” We dislike their market in strategy, so we have a rational reason to work against them.
Is there anything more you’d like to say about the $200k prize for Xbox-Linux?
I think that the award didn’t attract people that wanted to see some money: Now one month after the deadline, the money still hasn’t been distributed yet and still not a single person has sent me a single question about when he will get the money. The award attracted the press; we got more publicity, and this way we got more hackers. But nobody did it because of the money. So we don’t want to be regarded as being paid for the job by Michael Robertson. A good proof is that we’re stil al active after the deadline.
Can you tel us more about your “MIST X-Code hack”?
Some time after bunnie’s original hack, Andy extracted the MCPX ROM completely and Steve, Paul , and I started to analyze the code, and I reverse-engineered the X-Code interpreter contained within it. When looking for bugs that could be used to escape the X-Code interpretation loop, I found that a part of the code had already been written with our attacks in mind. This is my original disassembly:
cmp ebx, 80000880 ; ISA Bridge, MCPX disable? jnz short not_mcpx_disable ; BUG: too specific: bits 24 to 30 ; undefined and ignored by PCI hardware! and ecx, not 2 ; clear bit 1 (MCPX ROM will be ; turned off by setting bit 1) not_mcpx_disable: mov eax, ebx mov dx, 0CF8h out dx, eax ; PCI configuration address add dl, 4 mov eax, ecx out dx, eax ; PCI configuration data jmp short next_instruction
I had been working with “PCI configuration” before, therefore I knew that the test for the attack was too specific: Similar codes would do the same, but they pass the test. So the MS developers had a good idea, but the implementation was wrong, thus telling us about their idea this way!
I sent my idea to Andy, Steve, and Paul, and they verified after a short time that 0x88000880 worked just as well as 0x80000880 to turn off the MCPX ROM and exiting the interpreter by mapping the interpreter code out of memory!
Note
Microsoft can and will revise their motherboard layout and security system, so check with your device vendor for compatibility with your specific system hardware before making a purchase. You will also need an Xbox gameport to USB converter cable if you wish to use a standard keyboard and mouse with the Xbox, which can be purchased through aftermarket retailers such as Lik-Sang (http://www.lik-sang.com) or you can build one yourself by following the step-by-step guide in Chapter 4.
Before installing your alternative firmware device, you will need to program it with a ROM image that boots the GNU/Linux kernel. “Cromwell” is an open-source, clean-room (i.e., contains no Microsoft code) boot ROM for the Xbox that is capable of booting GNU/Linux. Significantly, the information contained in the Cromwell source code and binary image cannot be used to bypass any of the native copyright control mechanisms built into the Xbox. In other words, it is difficult to argue that Cromwell is any kind of copyright control circumvention tool. (Cromwell can be downloaded from the Xbox-Linux website on the Sourceforge.net server at http://xbox-linux.sourceforge.net.)
After burning the Cromwell ROM to your alternate firmware device and installing the device in the Xbox, you will need to burn onto CD/RW media a GNU/Linux install image that you can download from the Xbox-Linux website (again, http://xbox-linux.sourceforge.net). This install image comes as a fairly hefty (100+ MB) ISO image, compressed using bzip2, and it contains al of the software, interfaces, and tools necessary for getting a user-friendly GNU/Linux distribution up and running on the Xbox. When burning this ISO image, you must use the burn image option in the CD burner software. Do not copy the ISO image onto the CD as a single large file. (ISO images are literal bit patterns for a CD, so an ISO image already contains a complete filesystem description. Burning an ISO image as a regular file, instead of as an image, encapsulates the ISO image in a new filesystem, so the ISO just appears as a “bag of bits” instead of a filesystem with files.)
You may also need a second disk burned with the boot program for Xbox-Linux. This boot program comes as a smaller ISO image that should be available from the same place where you downloaded the main GNU/Linux install image. This boot image allows you to boot the Linux installation by simply dropping it into the Xbox, just like starting a game. (You can also copy the contents of this disk onto the hard drive using a third-party dashboard and boot Xbox-Linux directly from the hard drive if you prefer not to deal with a separate boot disk.)
Burning a good CD/RW image is perhaps one of the trickiest parts of installing Xbox-Linux. The laser used inside the DVD-ROM drive of the Xbox is not well-suited for reading writeable CD media, so the Xbox is very finicky about the kind of media and the kind of burner as well as the burner settings used to create the CD image. Furthermore, the exact details of how the laser is degraded varies from Xbox to Xbox and is dependent upon the model of drive that happened to be installed. Users have found that few Xboxes can reliably read CD-R media, so CD/RW media must be used. In addition, it helps to burn the CD/RW media at the slowest burner setting using either a fresh, blank CD/RW, or a CD/RW that has been fully erased (as opposed to the quick erase that just resets the filesystem and does not actually destroy previously written data).
Before committing to a particular type of CD/RW media, try using the regular Xbox Dashboard’s WMA ripping tools to copy the contents of a CD/RW that you burned with music to the hard drive. If this works reliably and without error, you can probably use that kind of CD/RW media for installing Linux. (Many Xbox-Linux installation problems have been traced to problems reading data off of the CD/RW drive.) At the time of this writing, there are no distributions available in hard-pressed CD-ROM media. There is some talk in the Xbox-Linux community of ordering a set of custom CD-ROM images, since this would solve many of the CD/RW headaches that users have been experiencing. (Also note that it is possible to install in your Xbox an after-market DVD-ROM drive that has better compatibility with writeable CD formats, as discussed in the previous chapter.)
Note
Keep in mind that Xbox-Linux is an active project that is constantly evolving. The most up-to-date instructions for installing GNU/Linux on the Xbox can be found at the Sourceforge Xbox-Linux website, and these instructions have been translated into at least a half-dozen languages at the time of this writing. If you are interested in contributing your talents to the Xbox-Linux project, there is a list of projects to-do on the Sourceforge Xbox-Linux website as well as some instructions on how to join the developer’s mailing list.
“Project B”
There is a work in progress, referred to as “Project B” by the Xbox-Linux developers, to find a way to install and boot Xbox-Linux without any hardware modifications. The Project B moniker comes from the criteria defined for the awarding of a $200,000 prize offered by Michael Robertson, the CEO of Lindows. The “Project A” prize was $100,000 and it has been awarded to the first group to get Linux running on an Xbox with hardware modifications. The remaining $100,000 will be awarded to the individual or group that completes Project B. The asymmetric division of the prize money hints at the challenge of completing Project B. (More details on Project B can be found at the Sourceforge Xbox-Linux website at http://xbox-linux.sourceforge.net/articles.php?aid=2002354043211.)
There are a number of Project B strategies being pursued by various groups. The most conceptually simple approach is to factor the 2048-bit RSA key used to sign Xbox game disks. This approach is being pursued by OperationProjectX (http://sourceforge.net/projects/opx) using a distributed computing approach. Simply put, if the 2048-bit RSA key is factored to reveal Microsoft’s private key, anyone can forge Microsoft’s digital signature and create bootable game disks for the Xbox, given that Microsoft never removes from the Xbox kernel the ability to load programs from regular CD or CD/RW media. Significantly, Microsoft ships its games on 2-layer DVD-9 format disks with special security structures. The Xbox firmware could be configured by Microsoft to only boot from disks that have this particular structure, regardless of the digital signature check. Since it is currently impossible to burn 2-layer DVDs using a common DVD burner drive, requiring secured DVD-9 media as the only source for executables would present an impairment to distributing Xbox-Linux through free downloads off the Internet. The other problem with this approach is that the chance of successful y factoring the Xbox’s private key through a brute force search is very, very small. (Chapter 7, “A Brief Primer on Security,” contains a sidebar on “Very Difficult Problems” that attempts to communicate the computational difficulty of this task.) If the private key is successfully recovered within a reasonable amount of time by this approach, it will significantly reduce people’s confidence in the RSA algorithm. (On the other hand, you can never win the lottery if you don’t buy a ticket, and running a free distributed factoring client using the spare cycles on your CPU is much cheaper than a Powerball ticket.)
Figure 11-1: The Xbox-Linux core team at the 19th annual Chaos Computer Conference, held in Berlin, Germany. In the back, Michael Steil; in the front, from left to right: Andy Green, Milosch Meriac, and Franz Lehner.(Photograph courtesy of Gerhard Farfeleder.) Hacking the Xbox: An Introduction to Reverse Engineering
Another approach, related to cracking the RSA-2048 bit key, is to modify an existing, signed Xbox executable in a useful manner without changing its cryptographic hash value. Such a constructive hash collision would make the modified executable look identical to the original as far as the digital signature check is concerned. The hash used in the Xbox’s digital signature algorithm is SHA-1. SHA-1 is a 160-bit hash with no publicly known algorithmic weaknesses; since the source of the hash is fixed, about 2160 random variations would have to be tried to discover a collision. As a side note, you can’t use a birthday attack to reduce the difficulty of the attack to 280 random variations because we are not trying to find two messages that hash to the same arbitrary value. The goal is to generate a specific target hash, or perhaps one of a very limited set of target hashes harvested from the set of all published Xbox game titles. Hence, this approach also falls into the category of “Very Difficult Problems.”
An alternative approach to Project B is to find security holes in Xbox software and use the holes to seize control of the CPU’s instruction pointer. To see how this is helpful, consider this example: Suppose a network-based buffer overrun exploit was discovered in a game that can lead to arbitrary code execution. A program running on a PC connected to the Xbox via the network could then use this exploit to send packets to the Xbox that would install a simple bootloader for Xbox-Linux. This bootloader could be something as simple as a program that runs code at a designated location on the Xbox’s hard drive or on the DVD drive. Any port where the Xbox can accept data is a vector for this kind of attack, including the USB and network port as well as the hard drive and the DVD-ROM drive.) Corrupted save games or file structures can be imaged onto the hard drive or DVD-ROM drive that cause the Xbox to run user-developed code. To Microsoft’s credit, all of the network interactions and save game protocols use fairly strong and well-tested security techniques. In addition, I heard at a presentation about the Xbox by Microsoft at MIT that all game code is inspected by a buffer overrun checker and that Microsoft has contractual remedies against game developers that are found guilty of putting deliberate back doors into their game code. This points to the Xbox code base being more secure than a typical Microsoft product, which makes it all the more interesting as a problem for hackers to work on. (If you are interested in participating in hacking on the Xbox as a part of “Project B,” I encourage you to first check out the Project B Prize Rules web page at http://xbox-linux.sourceforge.net/articles.php?aid=20030023081956.)
Recently, a buffer overrun exploit was discovered in the way saved games are handled by Electronic Arts’ “007: Agent Under Fire” game. The exploit was first divulged by a hacker known simply as “habibi_xbox” on March 29, 2003 through a posting on the XboxHacker.net BBS. Significantly, the exploit was identified in an undisclosed number of games, but “007: Agent Under Fire” was the only game explicitly named in the posting. The exploit leverages an unchecked string to run a short segment (a few hundred bytes) of code that inserts a series of kernel patches. Various measures were included in the design of the hack to make it very difficult to modify the hack to do anything other than run the intended Xbox-Linux target. For example, the hack patches the original Xbox RSA public key, used for verifying digital signatures, with a new public key, while leaving the digital signature check algorithm unpatched. Only he Xbox-Linux bootloader, provided as part of the hack, is appropriately signed with the corresponding new private key. Other hackers would have to factor the new public key in order to use this hack to run other executables. Also, the “007: Agent Under Fire” game itself performs an independent digital signature check on al saved games, so modifying the exploit code in the hacked savegame file is not trivial. The inclusion of such security measures in the hack is a laudable decision on the part of the hack’s implementer, as it helps ensure that the hack is not directly useful for applications such as piracy. Implementing security measures that protect Microsoft’s interests may help save the Xbox-Linux project from the wrath of Microsoft and the U.S. Department of Justice.
Profile: Milosch Meriac
Can you tell us a little bit about yourself?
My general history is fairly simple. I was born in 1976 in Czechoslovakia. My parents (my mother is a teacher, my father is a civil engineer) escaped during the Cold War to western Germany because of repressions by the communist regime. I was about three years old when we arrived in Germany. In German kindergarten I immediately learned the German language. From this point it was really simple — being ten years old, I got my first computer after some months of whining. Things started to roll.
After school leaving exams and a weird intermezzo at German Federal Armed Forces Military Duty, i started studying cybernetics and computer science, but i decided after three years to quit university and to concentrate as a longterm objective on my own company. During my studies I established some valuable business connections, so it was easy to work as a freelancer for various companies in Germany. I did some reverse engineering projects, developed realtime embedded linux systems with small footprint, did some lowlevel programming like realtime extensions for Windows systems, and developed a software based harddisk safeguard for a famous German company. I now live with my girlfriend in Berlin and we are having a great time there.
Why do you hack?
After getting more experienced in programming I started to discover that the beautiful and bright entity of the computer world is in fact a fragile patchwork.
In the beginning hacking was like a game for me. You could walk around inside your computer system discovering worlds of new code and possibilities every single day. Occasionally one could challenge the application authors to a duel by trying to analyze and circumvent their copy protections. Sometimes it was like playing chess; other times it was like a deathmatch.
On one hand I was excited to see my knowledge growing and on the other hand it was naturally a great ego boost for a 14 year old child to circumvent security systems of overpaid godlike hardcore programmers. During my time as a senior high school, I revised this view — while programming tools and applications for some local companies during school vacations I met some genuine programmers — and was disappointed: they were neither gods, nor godlike.
After some time i realized that writing a cool demo, hacking application X, or finding a nifty hack for Y doesn’t change the world more than a sack of rice toppling down somewhere in China. So I started choosing my realms more wisely — technologies of everyday life like telephones, computers, networks and satellites. I found out that one has the power to change things by explaining technology to average users or by helping companies to secure their products.
Today I am aware of my power as whitehat hacker. Every person in today’s life is affected by information technologies: surveillance techniques, data mining, information warfare, Digital Milllenium Copyright Act, TCPA, digital rights management, new interpretations of copyright and patent law are growing like mushrooms after monsoon rain. Like in my past I ache to peek behind these beautiful and bright entities, and hopefully find the bugs and traps before they find us.
Can you tell us about your experience with the Xbox-Linux project?
I joined the Xbox Linux project and helped to get the kernel running, which was tricky because the Xbox architecture has some traps and differences compared to a personal computer. I created the early Linux distributions for Microsoft’s Xbox. This was important because we had only 1 MB flash available to store the complete distribution and the kernel, and the hard disk wasn’t unlocked yet. I also provided a console driver for Andy Green’s filtror device, so we were able to see the kernel boot messages and get a linux console by using his device as some sort of remote interface. This distribution already included network drivers, soundcard drivers, mp3 support, a telnet server, webserver, NFS support, and a broad range of standard linux tools. This enabled us to get rid of our custom-made hardware and allowed hundreds of people to join the project, either as code contributors or as test persons. We had no screen output yet, so I added a framebuffer interface to the Xbox Linux kernel and made many other contributions.
The number of contributing developers started to grow enormously. We get awesome help from all over the world to make Xbox Linux possible. Some stay hidden because they are afraid of legal uncertainties like the DMCA in United States, while others can contribute freely.
Do you have any other comments you would like to share?
Some people may ask why full-grown people like me fiddle about with this Xbox toy. Every person certainly has his own reasons; my reason is to improve my skil s and to learn more about recent technologies. The Microsoft Xbox for instance is the predecessor of a TCPA/Palladium protected computer, with all the technical and social implications. It’s a fine playground for my research on more secure computer systems without pressing users.
One of the main reasons is our community. It’s really fun and a great pleasure to work together with these bright geeks — online and especially offline in a pub with pints of fine beer. I am amazed every day by the growing strength of our community. Thanks to all for making this possible!
Looking forward, the success of Project B could spell either a new age for Xbox hacking, or the demise of Xbox hacking. Even though Project B hackers have demonstrated social conscience and good will by trying to protect Microsoft’s interests, it is impossible to prevent less scrupulous hackers from reverse engineering the hack and eventually figuring out how to reproduce the technique in some less Microsoft-friendly form. The end result could either be a harsh crackdown by Microsoft upon all hacking activity, or Microsoft exiting the video game business altogether since their revenue stream would be cut off like Sega’s in the Dreamcast piracy debacle. Or, Microsoft could just elect to plow more money into the business and release a redesigned console that incorporates patches and countermeasures for known security holes. The outcome will depend heavily upon how events unfold in the next few months. However, with deep price cuts on the horizon for the Xbox and rumors of a thoroughly redesigned “shrink” version of the console floating around, it seems that Microsoft’s near-term strategy is to focus its energies on storming the market instead of stemming fair-use or piracy. After all, every Playstation2 or Gamecube sold probably has a worse effect on Microsoft’s business than every Xbox converted to run GNU/Linux, or even an Xbox converted to run pirated games.
OpenXDK
Many interesting and useful projects for the Xbox, such as the XboxMediaPlayer and MAME-X (Multiple Arcade Machine Emulator for the Xbox), have been developed for the native Xbox gaming platform. Unfortunately, these programs were developed using unauthorized versions of the Microsoft Xbox SDK (Software Development Kit). Microsoft’s Xbox SDK is supposed to be available only to approved, licensed developers. However, the SDK was leaked even before the console was launched, and since then many have used the leaked Xbox SDK for creating their own Xbox programs. While the proprietary Xbox SDK is convenient and easy to use, it is also technically il egal to use. The lack of a legal SDK for the native Xbox platform makes it difficult to attract a large base of open-source developers.
The OpenXDK project was created to address the need for a legal alternative to the Xbox SDK. OpenXDK’s stated goal is to create a legal development kit for creating Xbox Executables (XBEs). OpenXDK wil al ow users to create native XBE files that, when signed with the appropriate digital signature, could run on a vanilla Xbox. Since this appropriate digital signature is as of yet unknown, this work is done in anticipation of a legal technology that enables interoperability with programs developed using the OpenXDK.
Despite its utility, the OpenXDK project is still in its nascence and is looking for developers. More about the OpenXDK project can be found at http://openxdk.sourceforge.net. OpenXDK’s project managers are Dan Johnson (also known as SiliconIce, the creator of the XboxHacker BBS) and Aaron Robinson (also known as caustik; caustik is also leading the CXBX executable relinker and the CXBE Xbox emulator projects).
